From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 2 Sep 2016 15:48:06 +0200
Subject: [refpolicy] [PATCH] gpg: public key signature verification in
 evolution
In-Reply-To: <1472815602.23008.8.camel@trentalancia.net>
References: <1472737946.17989.0.camel@trentalancia.net>
	<7958812d-93fe-ded7-fb23-6d02c150bcb3@ieee.org>
	<bc32fd38-c6d6-aa2e-bd61-44c9a99fb344@gmail.com>
	<1472815602.23008.8.camel@trentalancia.net>
Message-ID: <09e0ed56-7f4d-71e8-d970-acecc18e2376@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/02/2016 01:26 PM, Guido Trentalancia wrote:
> Hello Dominick.
> 
> On Fri, 02/09/2016 at 10.48 +0200, Dominick Grift via refpolicy wrote:
>> On 09/02/2016 01:26 AM, Chris PeBenito via refpolicy wrote:
>>>
>>> On 09/01/16 09:52, Guido Trentalancia via refpolicy wrote:
>>>>
>>>> Let gpg verify public key signatures in the evolution mail client
>>>> application.
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/contrib/evolution.if |   21 +++++++++++++++++++++
>>>>  policy/modules/contrib/gpg.te       |    4 ++++
>>>>  2 files changed, 25 insertions(+)
>>>>
>>>> --- refpolicy-git-06082016-
>>>> orig/policy/modules/contrib/evolution.if	2016-08-06
>>>> 21:27:11.349094280 +0200
>>>> +++ refpolicy-git-06082016/policy/modules/contrib/evolution.if	
>>>> 2016-09-01 15:33:27.072148930 +0200
>>>> @@ -128,6 +128,27 @@ interface(`evolution_stream_connect',`
>>>>
>>>>  ########################################
>>>>  ## <summary>
>>>> +##	Read evolution orbit temporary
>>>> +##	files.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##	<summary>
>>>> +##	Domain allowed access.
>>>> +##	</summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`evolution_read_orbit_tmp_t',`
>>>
>>> evolution_read_orbit_tmp_files()
>>>
>>>
>>
>> You dont have to mention "orbit" at all. There are only sockets in
>> orbit, and push comes to show that's just a evolution socket. This
>> file
>> is outside of orbit and so it have nothing to do with orbit
>>
>> so i would just use evolution_read_tmp_files()
>>
>> however eventually it probably need rw instead of r, For example when
>> you sign emails.
> 
> Let's try to sign this message and see if it also requires write
> permissions...
> 

is that PGP/MIME or in-line signing? I dont use evolution so not sure if
it even support in-line signatures or PGP/MIME

Either way, would be easy enough to adjust if and when someone needs it

I still don't like the reference to orbit though

> Guido
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160902/56c5ec4d/attachment.bin